Microsoft Defender CVEs: CVE-2026-41091 (local privilege escalation) and CVE-2026-45498 (denial of service)

May 21, 2026 / May 21, 2026 by Alex Mira | Leave a comment

Two new Microsoft Defender vulnerabilities have been published in the National Vulnerability Database with corresponding entries in Microsoft’s Security Update Guide: CVE-2026-41091 and CVE-2026-45498. Both pertain to core Defender components on Windows endpoints, making them relevant for administrators and security teams that rely on Defender for antimalware protection.

CVE-2026-41091 is described as an improper link resolution before file access issue—often called a “link following” weakness. In practical terms, this class of flaw can occur when a privileged process follows a filesystem link (such as a junction or symlink) without adequate checks. According to the NVD summary, an authorized local attacker could leverage this condition to elevate privileges. The key point is “local” and “authorized”: an attacker would already need a foothold on the system to attempt this.

CVE-2026-45498 is a denial-of-service vulnerability in Microsoft Defender. The NVD entry labels it as DoS without further technical detail. In the Defender context, a successful DoS could degrade or interrupt protection and monitoring on affected machines, at least temporarily.

What’s confirmed vs. still unclear

Confirmed: CVE-2026-41091 exists in Microsoft Defender and involves improper link following, enabling local privilege escalation by an authorized attacker. Source: NVD and Microsoft Security Update Guide entries.
Confirmed: CVE-2026-45498 is a denial-of-service vulnerability in Microsoft Defender. Source: NVD and Microsoft Security Update Guide entries.
Unclear from the public summaries: specific affected versions, exact exploit conditions, severity scores, patch availability timelines, and whether there is evidence of exploitation in the wild. Those details are not provided in the NVD snippets linked to Microsoft’s advisories.

Why it matters

Defender runs with elevated privileges and is widely deployed by default on Windows. A local privilege escalation route can help a post-compromise attacker gain higher-impact access, while a DoS in the antimalware engine could disrupt protection or incident response visibility. Even without exploit details, these categories of flaws warrant prompt review by defenders.

Practical next steps

Based on the available evidence, the most reliable way to proceed is to consult Microsoft’s official advisories and follow vendor guidance as it is updated:

Microsoft Security Update Guide entry for CVE-2026-41091: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
Microsoft Security Update Guide entry for CVE-2026-45498: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498

Enterprises should track these pages for confirmation of affected components and any remediation or update instructions. If you manage Defender updates centrally, review your normal deployment and monitoring processes so you can apply vendor-recommended updates when they are available and verify Defender health afterward.

Limitations and caveats

Information currently public via NVD and the linked Microsoft advisories is concise. Without additional vendor detail, we cannot confirm affected versions, patch status, or real-world exploitation. This article will remain conservative on claims until Microsoft’s guidance provides more specifics.

In the meantime, maintain standard hygiene for Windows endpoints: keep security baselines current, monitor endpoint health, and review least-privilege practices to reduce the impact of any local escalation paths.

If you oversee Windows security tooling, bookmark the advisories above and fold them into your vulnerability management queue. As Microsoft updates those entries, prioritize actions according to your environment’s exposure and change windows.

Alex Mira

Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.

Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!

Tagged

Pwn2Own Berlin 2026 day two: Exchange, Windows 11, and AI tooling fall to fresh zero-days

Pwn2Own Berlin 2026 day two delivered 15 new zero-days—spanning Microsoft Exchange, Windows 11, RHEL Workstations, NVIDIA Container Toolkit, and AI coding agents—triggering $385,750 in awards and setting up a busy patch cycle.

CVE-2026-42897: Exchange Server XSS exploited against Outlook on the web — mitigation via EEMS

CVE-2026-42897 is an actively exploited XSS spoofing flaw in Microsoft Exchange Server targeting Outlook on the web. No patch yet—enable Exchange Emergency Mitigation Service (EEMS) and monitor Microsoft’s advisories.

CVE-2026-43500 Linux rxrpc vulnerability

CVE-2026-43500: Linux rxrpc shared‑fragment bug tied to “Dirty Frag” page‑cache writes

CVE-2026-43500 fixes a Linux rxrpc flaw in how shared packet fragments are handled. It’s linked to the “Dirty Frag” chain enabling page‑cache writes and local root. Update kernels promptly.

SAP patches critical Commerce Cloud RCE and S/4HANA SQL injection (CVE-2026-34263, CVE-2026-34260)

SAP’s May 2026 updates fix two critical issues: unauthenticated RCE in Commerce Cloud (CVE-2026-34263) and authenticated SQL injection in S/4HANA Enterprise Search (CVE-2026-34260).

CVE-2026-42945 NGINX rewrite vulnerability

CVE-2026-42945: NGINX rewrite-module bug tied to PCRE captures and “?” in replacements

CVE-2026-42945 affects NGINX’s rewrite module under specific PCRE capture and replacement patterns, causing a heap overflow and worker restarts; code execution may be possible if ASLR is disabled. Version and patch details are not yet clear.

Claude Code CVE-2026-39861 sandbox escape

Claude Code CVE-2026-39861: symlink-assisted sandbox escape fixed

A GitHub advisory for CVE-2026-39861 details a symlink-based sandbox escape in Claude Code, now fixed. A separate CVE in jotty.page (CVE-2026-42564) addresses an unauthenticated path traversal fixed in 1.22.0.

CVE-2026-43284: Linux fixes an ESP decryption flaw tied to “Dirty Frag” reports

Linux has patched CVE-2026-43284 in the xfrm/ESP input path to avoid unsafe in-place decryption on shared fragments. Media link it to the “Dirty Frag” LPE chain, but only parts are confirmed. Here’s what’s known and what to do next.

Ivanti EPMM updates address multiple flaws (CVE-2026-5786/5787/5788/6973/7821)

Ivanti’s May 2026 advisory fixes five EPMM flaws spanning access control, certificate validation, and admin-level RCE prerequisites. Here’s what’s confirmed and what to do now.

CVE-2026-43284: Fix for in‑place decryption on shared skb fragments in Linux’s ESP path

CVE-2026-43284 fixes a Linux kernel ESP receive-path flaw where in-place decryption could occur on shared skb fragments. Here’s what’s confirmed and how to proceed.

CVE-2026-26956: vm2 sandbox escape in 3.10.4 enables host code execution, patch available

CVE-2026-26956 allows a vm2 sandbox escape in version 3.10.4, enabling host code execution under specific Node.js 25 settings. NVD says it’s patched in 3.10.5.

Critical cPanel Vulnerability CVE-2026-41940 Actively Exploited: What Website Owners and Hosting Providers Need to Know

CVE-2026-41940 is a critical cPanel and WHM authentication bypass vulnerability actively exploited in the wild. Learn who is affected, what attackers can do, and how to patch.

CVE-2026-31431 (“Copy Fail”): What You Need to Know

CVE-2026-31431 (“Copy Fail”) is a high-severity Linux kernel vulnerability enabling local privilege escalation and container escape. Learn its impact and how to patch or mitigate it effectively.